b'Audit Report\n\n\n\n\nOIG-11-106\n\nINFORMATION TECHNOLOGY: Treasury\xe2\x80\x99s Contract and Project\nManagement of Treasury Network (TNet) Was Poor\n\nSeptember 22, 2011\n\n\n\n\nOffice of\nInspector General\nDEPARTMENT OF THE TREASURY\n\x0c  Contents\n\n\nAudit Report\n\n  Results in Brief ............................................................................................. 2\n\n  Background ................................................................................................. 6\n\n  Finding and Recommendations ....................................................................... 8\n\nAppendices\n\n  Appendix 1:          Objectives, Scope, and Methodology ....................................... 18\n  Appendix 2:          Management Response ......................................................... 19\n  Appendix 3:          Office of Inspector General (OIG) Clarifications to Management\n                       Comments and Observations.................................................. 23\n  Appendix 4:          Major Contributors to This Report ........................................... 27\n  Appendix 5:          Report Distribution ................................................................ 28\n\nAbbreviations\n\n  ATO                  authority to operate\n  C&A                  certification and accreditation\n  CIO                  chief information officer\n  FIPS                 Federal Information Processing Standards\n  GLS                  General Legal Services\n  GSA                  General Services Administration\n  IRS                  Internal Revenue Service\n  OIG                  Treasury Office of Inspector General\n  OMB                  Office of Management and Budget\n  PMO                  Program Management Office\n  TCE                  Treasury Communications Enterprise\n  TCS                  Treasury Communications Systems\n  TNet                 Treasury Network\n  TIC                  Trusted Internet Connections\n\n\n\n\n                       Treasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor                         Page 1\n\n                       (OIG-11-106)\n\x0c                                                                                       Audit\nOIG\nThe Department of the Treasury\n                                                                                       Report\nOffice of Inspector General\n\n                       September 22, 2011\n\n                       Robyn East\n                       Deputy Assistant Secretary for Information Systems\n                         and Chief Information Officer\n                       Department of the Treasury\n\n                       We are performing a series of audits to determine if the\n                       Department of the Treasury\xe2\x80\x99s implementation of the Treasury\n                       Network (TNet) 1 was based on sound and effective contract\n                       management, project management, security management, and\n                       transition management. This report provides the results of our\n                       assessment of Treasury\xe2\x80\x99s TNet contract and project management.\n                       We will report on the remaining objectives in future audit reports.\n\n                       To accomplish our objectives, we reviewed and analyzed\n                       documents related to contract administration and project\n                       management of the TNet task order. We also interviewed Treasury\n                       personnel responsible for the contract and project management of\n                       TNet, and representatives of the TNet contractor, AT&T. We\n                       performed our fieldwork in Washington, DC, from March 2009\n                       through April 2011. Our objectives, scope, and methodology are\n                       described in appendix 1.\n\nResults in Brief\n                       Based on the results of our work, we concluded that Treasury\xe2\x80\x99s\n                       contract and project management of TNet was poor. Specifically,\n                       the TNet statement of work that was included in the task order did\n                       not protect the government\xe2\x80\x99s interest to obtain a timely enterprise\n                       network at the least possible cost. Critical system security\n                       requirements and key delivery dates were omitted from the task\n                       order rendering Treasury unable to pursue reasonable remedies or\n                       terminate the contract for default. Furthermore, even after delivery\n\n1\n TNet is a wide area network that provides Treasury with e-mail, Internet, and voice traffic applications.\nThe TNet task order was awarded under the General Services Administration Networx universal contract\n(Contract Number GS00T07NSD0007).\n\n\n\n                       Treasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor                 Page 2\n\n                       (OIG-11-106)\n\x0c                       dates were subsequently incorporated in task order modifications,\n                       Treasury officials still did not pursue available remedies to enforce\n                       the terms and conditions of the task order, essentially assuming\n                       responsibility for late delivery. Ultimately, the lack of effective\n                       leadership resulted in a poorly written, poorly planned, and poorly\n                       executed task order. Finally, we believe that inadequate contractor\n                       performance resulted in additional costs of $33 million to\n                       Treasury. 2\n\n                       The TNet task order was awarded to AT&T on September 21,\n                       2007. According to the initial TNet Transition Plan incorporated in\n                       AT&T\xe2\x80\x99s response to Treasury\xe2\x80\x99s request for quote, implementation\n                       of TNet was supposed to begin in October 2007 and be completed\n                       in 9 months. However, due to a combination of AT&T and\n                       government delays, implementation did not begin until August\n                       2009, nearly 2 years later.\n\n                       One of the reasons for the delay was AT&T\xe2\x80\x99s submission of an\n                       insufficient certification and accreditation (C&A) 3 package that was\n                       rejected by Treasury and had to be resubmitted after additional\n                       testing. Another delay was due to the Office of Management and\n                       Budget (OMB) Trusted Internet Connections (TIC) initiative 4 , which\n                       was promulgated after the date the task order was awarded, and\n                       required additional features. Due to delays in transitioning to TNet,\n                       OMB included TNet on its list of 26 high risk projects in 2010. 5\n                       Due to several security risks that needed to be remediated, TNet\n\n\n2\n  Based on the data the Office of Chief Information Officer provided to us on December 24, 2009, the\nexpected monthly savings for transitioning from TCS to TNet was $3.7 million. We multiplied the\nmonthly savings of $3.7 million by 9 months (October 2008 through July 2009) to determine the\nadditional costs.\n3\n  The C&A package is a comprehensive assessment of the management, operational, and technical\nsecurity controls for a system. This information is used by officials to determine whether to authorize\noperation of an information system.\n4\n  The TIC initiative was mandated in OMB memorandum, M-08-05, issued in November 2007. The\noverall purpose of the initiative was to optimize and standardize individual external network\nconnections, to include connections to the Internet, currently in use by the federal government. By\nreducing the number of access points, the government could more easily monitor and identify\npotentially malicious traffic.\n5\n  High risk projects as defined in OMB Circular A-11, Part 2, Section 53: Information Technology and E-\nGovernment (June 2008), include those projects requiring special attention from oversight authorities\nand the highest levels of agency management.\n\n                       Treasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor               Page 3\n\n                       (OIG-11-106)\n\x0c                       was operated under an interim authority to operate (ATO) 6 for over\n                       a year and a half, and finally received a full ATO on March 23,\n                       2011.\n\n                       The reasons provided by Treasury officials for the deficiencies we\n                       identified during our audit are detailed in the finding below;\n                       however, we want to highlight a common theme that came out of\n                       our discussions with those officials that gave us great concern.\n                       Specifically, in the beginning, Treasury senior officials told us on\n                       several occasions of the urgency to transition from Treasury\n                       Communications Systems (TCS) to TNet. However, once the task\n                       order was issued, Treasury officials were reluctant to take action\n                       against the contractor for failure to meet the transition schedule. It\n                       became more important to the responsible officials to keep the\n                       contractor in place, regardless of the costs or consequences to the\n                       government, than to take the proper steps to either obtain\n                       satisfactory performance from the contractor or to terminate the\n                       contract. As a consequence, we believe that not all aspects of this\n                       procurement were executed properly and that unacceptable\n                       shortcuts in the contracting process were taken. Obviously, the\n                       lessons of the Treasury Communications Enterprise (TCE)\n                       procurement failure were ignored. 7\n\n                       We are making five recommendations to the Treasury Chief\n                       Information Officer (CIO) to improve the contract and project\n                       management of TNet and future information technology\n                       acquisitions.\n\n                       Management Response\n\n                       In a written response, the Treasury CIO agreed with our\n                       recommendations and provided plans for corrective actions (see\n                       appendix 2). The response also stated that in pursuit of Treasury\xe2\x80\x99s\n\n6\n  ATO is the official management decision given by a senior organizational official to authorize operation\nof an information system and to explicitly accept the risk associated with the system\xe2\x80\x99s operation. ATO\ncan only be granted after the authorizing official has assessed the results of the C&A package and\ndeemed that the risk to agency operations, agency assets, or individuals is acceptable.\n7\n  Audit Report OIG-06-028, Major Acquisitions: Treasury Communications Enterprise Procurement Was\nPoorly Planned, Executed and Documented (February 2006), noted that poor planning and execution by\nTreasury officials delayed the TCE contract and increased its costs.\n\n\n                       Treasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor                  Page 4\n\n                       (OIG-11-106)\n\x0cgoal of continually strengthening the management and oversight of\nall information technology projects, TNet\'s management oversight\nactivities were placed under the Treasury Office of the CIO as of\nSeptember 29, 2010.\n\nWith respect to determining whether damages resulting from\ncontractor delay from October 2008 through July 2009 are legally\navailable, the response stated that based on an opinion from the\nInternal Revenue Service (IRS) General Legal Services (GLS), it is\nTreasury\xe2\x80\x99s position that the government does not have a legal basis\nto recover damages from AT&T for contractor delays.\n\nWith regard to implementing appropriate policies, procedures, and\ncontrols to ensure that all prospective statements of work,\ncontracts or task orders, for acquisition of information systems\nclearly state the appropriate Federal Information Processing\nStandards (FIPS) 199 security category and specify the delivery\ndate of an acceptable C&A package, the response stated that such\nguidance would be implemented.\n\nManagement\xe2\x80\x99s response also included assurances that any future\ntiming modifications to the TNet task order will be specified and\ndamages resulting from future contractor-caused delay(s) will be\npursued.\n\nOIG Comment\n\nThe Treasury CIO\xe2\x80\x99s planned corrective actions are responsive to\nour recommendations. While we understand that through\nconsultation between the TNet contracting officer and IRS GLS, it\nwas IRS GLS\xe2\x80\x99s opinion that Treasury\xe2\x80\x99s actions precluded it from\nseeking legal remedies for contractor caused delays in the TNet\ntask order, we believe there may be some merit in reevaluating this\nposition.\n\nTreasury\xe2\x80\x99s management response also commented on several other\nmatters in our report. Our clarifications to the comments that\nTreasury made in its management response to the draft report are\nincluded in appendix 3.\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor   Page 5\n\n(OIG-11-106)\n\x0cBackground\n                      TCS was Treasury\xe2\x80\x99s telecommunications infrastructure that\n                      integrated the Federal Telecommunications System 2000 8 and\n                      network-based services. TCS enabled a wide range of applications\n                      through independent networks to support Treasury\xe2\x80\x99s mission. The\n                      TCS contract was awarded on September 28, 1995, and was due\n                      to expire on September 27, 2005, but out of necessity due to TNet\n                      delays, was extended to September 27, 2010.\n\n                      On May 4, 2004, Treasury issued a request for proposal for a TCS\n                      replacement contract, TCE, to supply telecommunications services\n                      to Treasury, including its bureaus and offices. It was envisioned\n                      that TCE would enable the convergence of data, voice, and video\n                      technologies into a single network infrastructure that supported the\n                      operation of applications and services across the entire operating\n                      environment through enterprise-wide managed services. Under\n                      TCS, telecommunications equipment was contractor-maintained\n                      but Treasury-owned. Under TCE, the contractor was to take title to\n                      existing TCS network assets and use any equipment it considered\n                      useful in providing network connectivity and management services,\n                      and dispose of the remaining equipment.\n\n                      On December 3, 2004, Treasury awarded the TCE contract to\n                      AT&T. The procurement was protested by five unsuccessful\n                      bidders and on March 16, 2005, the Government Accountability\n                      Office issued a decision in favor of the protestors. Following a\n                      comprehensive review in conjunction with the General Services\n                      Administration (GSA) and OMB, Treasury reopened the TCE\n                      procurement on August 15, 2005. The reopened procurement\n                      included a series of solicitation amendments and four rounds of\n                      discussions with the bidders, for a total of five rounds of proposal\n                      submissions and evaluations.\n\n\n\n8\n  Federal Telecommunications System 2000 is the federal government\xe2\x80\x99s long-distance\ntelecommunications program administered by the GSA. It is a private network that provides voice, data,\nand video services to federal employees across the country. Treasury used Federal Telecommunications\nSystem 2000 for all nonlocal voice services and for services mandated by Federal Information\nResources Management regulations.\n\n                      Treasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor               Page 6\n\n                      (OIG-11-106)\n\x0cIn a memorandum of agreement with GSA, dated December 20,\n2006, Treasury agreed to procure wide area network services\nunder GSA\xe2\x80\x99s Networx universal contract. The procurement was\ncalled TNet. On December 21, 2006, Treasury cancelled the TCE\nprocurement.\n\nOn September 21, 2007, Treasury awarded the TNet task order to\nAT&T. The cost for TNet was initially estimated at $270 million.\nThe contract cost is now estimated at $391 million. Based on\nAT&T\xe2\x80\x99s proposal, implementation of TNet was to have started in\nOctober 2007. However, implementation under an interim ATO did\nnot start until August 2009. Furthermore, TNet did not receive a\nfull ATO until March 23, 2011, over a year and a half later, due to\na number of security risks that needed to be remediated.\n\nThe Treasury CIO, as the authorizing official for TNet, has the\nresponsibility and accountability for operating TNet at an\nacceptable level of risk to Treasury operations, assets, and\nindividuals. As such, the CIO is responsible for approving the\nsecurity requirements for TNet.\n\nThe responsibility for managing and administering the TNet task\norder was delegated to the IRS Procurement Office. Accordingly,\nTNet\xe2\x80\x99s contracting officer was appointed from that office. Program\noversight of the TNet contractor\xe2\x80\x99s operations is performed by the\nIRS Program Management Office (PMO). That office also serves as\nan interface between Treasury and AT&T to monitor service level\nagreements and manage invoices. Accordingly, TNet\xe2\x80\x99s contracting\nofficer\xe2\x80\x99s technical representative works out of the IRS PMO. He is\nresponsible for, among other things, maintaining the complete\ncontract working files, although he relied on other staff within the\nIRS PMO to fulfill this responsibility.\n\nTreasury bureaus provided input through the CIO Council, sub-\ncouncils, and working groups, and served as control points for\napprovals and strategic direction setting for TNet.\n\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor       Page 7\n\n(OIG-11-106)\n\x0cFinding and Recommendations\n\nFinding               Treasury\xe2\x80\x99s Contract and Project Management of TNet Was\n                      Poor\n\n                       From the onset, exacerbated by a poorly written statement of\n                       work, the TNet transition was plagued with contractor- and\n                       government-caused delays. Among the major reasons for delay\n                       was that the first C&A package for TNet that AT&T delivered on\n                       December 11, 2008, failed to meet Treasury\xe2\x80\x99s requirements.\n                       Additional delays resulted because the statement of work lacked\n                       specific critical system security requirements and did not articulate\n                       due dates for key contract deliverables, like the C&A package.\n                       Furthermore, when delays occurred, Treasury issued task order\n                       modifications that extended deliverable dates without determining\n                       whether the delays were caused by inadequate contractor\n                       performance. Without making such a determination, Treasury\n                       assumed all the costs for delays. Overall, we found that TNet\n                       delays resulted from what we can only describe as inept leadership\n                       and ineffective communication in putting together the statement of\n                       work, followed by poor contract and project management. We do\n                       acknowledge that one delay was attributable to OMB\xe2\x80\x99s TIC\n                       initiative, which was beyond Treasury\xe2\x80\x99s control since it was\n                       promulgated after the task order was awarded.\n\n                       Below is a more detailed discussion of the issues we identified in\n                       our review of the TNet contract and project management that were\n                       within Treasury\xe2\x80\x99s control.\n\n                       Absence of Defined Security Requirements\n\n                       The TNet statement of work did not identify the applicable security\n                       category for this information system. Specifically, it did not include\n                       the National Institute of Standards and Technology FIPS 199\n                       security category. 9 We also noted that a shortcut was taken in\n                       TNet\xe2\x80\x99s statement of work, which was essentially copied from the\n\n9\n  FIPS 199, Standards for Security Categorization of Federal Information and Information Systems,\n(February 2004), requires federal agencies to establish the security level of protection required for an\ninformation system operated on behalf of or owned by the agency.\n\n                       Treasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor                   Page 8\n\n                       (OIG-11-106)\n\x0cone prepared for the failed TCE solicitation which also did not\ninclude the FIPS 199 security level.\n\nAs the TNet statement of work did not specify the FIPS 199 overall\nsecurity category, AT&T executives informed us that they assumed\nthat TNet\xe2\x80\x99s overall FIPS 199 security category was moderate and\nthis was reflective in their proposal. AT&T based their assumption\non other work they had performed for Treasury. However, the\noverall security category assigned to TCS, which TNet replaced,\nwas high. TNet was to provide Treasury with functions and\nservices at least equal to those provided by TCS. Accordingly, to\navoid any misunderstanding, Treasury should have ensured the\nTNet statement of work clearly identified the overall security\ncategory requirement.\n\nNevertheless, it was not until August 5, 2009, that the TNet task\norder was modified to explicitly require a FIPS 199 overall security\ncategory of high. Since the cost of this modification was\ndetermined based on negotiation, rather than competition, we\nbelieve the cost was most likely greater than it would have been\nhad the security requirements been included in the initial statement\nof work. A former Treasury CIO agreed that a security level of high\nshould have been assigned before the TNet task order was\nawarded to AT&T.\n\nWe could not determine whether this statement of work deficiency\nwas a result of lack of knowledge of the requirements of FIPS 199,\nnegligence, a rush to award the task order, or some other cause.\nOffice of CIO officials could not identify who was responsible for\nthe preparation of the statement of work or how this oversight\noccurred. Furthermore, we could not identify any effective\nTreasury policies, procedures, or controls in place to prevent this\nfrom happening again in future information technology acquisitions.\n\nNo Delivery Date for the TNet C&A Package\n\nTreasury did not specify the deliverable date for the TNet C&A\npackage in the statement of work. As a result, there was no\ncontractual requirement for AT&T to deliver it in a timely manner.\nUntil this omission was corrected by a modification to the task\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor       Page 9\n\n(OIG-11-106)\n\x0c                       order, it could have, for all practical purposes, indefinitely delayed\n                       the TNet transition because the Treasury CIO could not have made\n                       an ATO determination. 10 Compounding the problem, Treasury could\n                       not terminate the task order for default because there was no\n                       contractual delivery date in the statement of work for the C&A\n                       package. 11\n\n                       When we spoke to Treasury officials about why the statement of\n                       work lacked a delivery date for the C&A package, we were\n                       informed that they believed that such a date was unnecessary\n                       because the contractor had an incentive to deliver it promptly since\n                       no payments would be made until TNet was fully operational.\n                       However, this line of reasoning failed because it did not adequately\n                       ensure that Treasury received its mission critical telecommunication\n                       services in a timely manner. This was demonstrated by the fact\n                       that Treasury, out of necessity, had to extend the TCS contract.\n\n                       Therefore, until a contractual date of delivery was provided,\n                       Treasury\xe2\x80\x99s only options would have been to wait until the\n                       contractor provided an acceptable C&A package or terminate the\n                       contract for the convenience of the government. If Treasury had\n                       chosen the latter option, Treasury would have had to pay for all\n                       expenses incurred by the contractor at the date of termination and\n                       incur the expense of reprocurement. In our opinion, neither of these\n                       options were acceptable, and both would have resulted in\n                       additional costs to Treasury.\n\n                       Contracting Officer Failed to Include a Revised Timeline in\n                       Modification Number 5 for TIC\n\n                       The contracting officer failed to provide a time extension for\n                       modification number 5. This modification was issued on April 23,\n\n10\n   National Institute of Standards and Technology Special Publication 800-37, Guide for the Security\nCertification and Accreditation of Federal Information Systems (May 2004), states that an accrediting\nofficial needs to review the C&A package prior to granting an ATO.\n11\n   Federal Acquisition Regulation 52.249-8(a)(1) is the standard "Default" clause permitting the\ngovernment to terminate a contract for default where the contractor breaches the contract. The\nstandard "Default" clause entitles the government to re-procure the supplies or services required under\nthe terminated contract, and charge the excess costs to the terminated contractor.\n\n\n\n                       Treasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor               Page 10\n\n                       (OIG-11-106)\n\x0c2008, and incorporated a significant number of security changes,\nwhich were collectively referred to as Enhanced Internet Access\nSecurity Service. These enhancements included TIC, which\nrequired a significant change in the planned deployment, making\nthe original plan of a 9-month transition from the existing contract\nunrealistic. Modification number 5 did not incorporate any changes\nto the schedule (i.e., a revised timeline), even though the original\nschedule was no longer reasonable. Subsequently, modification 13,\nwhich was issued on August 20, 2008, incorporated the TIC\npricing changes, however, there was still no revised timeline.\n\nAccording to Federal Acquisition Regulation 52.243-1(b), if there is\na change in the contract that causes an increase or decrease in the\ncost or time required to complete the work, the contracting officer\nis required to make an equitable adjustment in the contract price,\nthe delivery schedule, or both, and modify the contract.\n\nIn this case, modification number 13 adjusted the price for the\nchanges reflected in modification number 5 but did not adjust the\ndelivery schedule. According to the contracting officer, a revised\ndelivery schedule should have been incorporated into the contract.\nHowever, it was not done because of an oversight on the part of\nTreasury. By issuing modification number 5 without updating the\nschedule in the contract, Treasury allowed AT&T to essentially\ndeliver TNet on an ad hoc basis. In other words, the original\nschedule was no longer valid because of the necessary additional\namount of time required for TIC implementation, and there was no\nupdated schedule to hold the contractor responsible.\n\nTreasury Assumed Responsibility for TNet Contractor Delays\n\nTreasury issued task order modifications that extended deliverable\ndates without determining whether the delays were caused by\ninadequate contractor performance. Without making such a\ndetermination, Treasury essentially assumed responsibility for all\ndelays, regardless of who was responsible for causing them. While\none of the delays was the result of additional work needed to meet\nOMB\xe2\x80\x99s TIC requirement, we believe that much of the additional\ndelays were due to inadequate contractor performance.\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor   Page 11\n\n(OIG-11-106)\n\x0cBased on our review of the contract files, we believe that AT&T\xe2\x80\x99s\ninadequate performance resulted in delays beginning in October\n2008 and lasting through July 2009 (9 months). AT&T\xe2\x80\x99s\nperformance issues resulted in increased cost to Treasury since it\nwas necessary to continue funding the TCS contract. Accordingly,\nwe believe Treasury should have assessed damages from AT&T.\nThe contractor-caused delays that we identified are as follows:\n\n\xe2\x80\xa2   The TNet Transition Plan Version 2.0 dated August 22, 2008,\n    included the C&A package deliverable date as October 21,\n    2008. This transition plan initially included AT&T\xe2\x80\x99s response to\n    the request for quote, and all subsequent revisions were\n    incorporated into the TNet task order by reference. Therefore,\n    we believe, the delivery date included in the transition plan\n    should have been enforceable. On October 1, 2008, AT&T\n    notified Treasury that due to continued security testing at two\n    major facilities, the C&A package would be delivered on\n    November 14, 2008. However, the C&A package was not\n    delivered to Treasury on November 14, 2008.\n\n\xe2\x80\xa2   Modification number 24, issued December 18, 2008, provided\n    the explicit delivery date for the C&A package on December 11,\n    2008. We noted here that the modification was issued to\n    require a past due date. An IRS procurement official identified 8\n    previous AT&T delays since program commencement. However,\n    we were surprised to find that the modification did not include\n    any assessment of responsibility for previous delays. In fact, the\n    supporting documentation stated, \xe2\x80\x9cthrowing in the penalty\n    language may just make this more contentious and put AT&T\n    on the defensive.\xe2\x80\x9d Apparently, it was more important for\n    Treasury to keep AT&T in place, regardless of costs or\n    consequences to the government, than to take the proper steps\n    to either obtain satisfactory performance from the contractor or\n    to terminate the contract. Even so, AT&T did deliver a C&A\n    package on the required date of December 11, 2008. On\n    January 9, 2009, the contracting officer notified AT&T that an\n    ATO was not granted for TNet because of an unacceptable\n    number of security risks in the system, Treasury\xe2\x80\x99s inability to\n    confirm AT&T\xe2\x80\x99s scope of testing to which the system had been\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor    Page 12\n\n(OIG-11-106)\n\x0c    subjected, and a lack of traceability with respect to security\n    testing and evaluation of the system.\n\n\xe2\x80\xa2   Modification number 34, issued April 21, 2009, set July 3,\n    2009, as the new deliverable date for a C&A package since the\n    C&A package submitted by AT&T on December 11, 2008, was\n    rejected by Treasury on January 9, 2009, due to the poor\n    quality of the test results. Again, this modification did not\n    contain any assessment of the delay caused by the contractor.\n    Treasury simply set a new deliverable date, and AT&T\n    subsequently failed to meet the July 3, 2009, date.\n\n\xe2\x80\xa2   Modification number 42, issued June 15, 2009, extended the\n    delivery date for the C&A package to July 22, 2009, because\n    of additional delays in performing security testing and\n    evaluation. And, once again, this modification did not contain\n    any assessment of responsibility for not meeting the July 3,\n    2009, deliverable date set in modification 34. The supporting\n    documentation for this modification stated that it was issued as\n    a \xe2\x80\x9cNO COST\xe2\x80\x9d modification and that the government would not\n    seek any damages due to the fact that the delay was both\n    contractor- and government-caused. We disagree. In a letter\n    dated June 10, 2009, from AT&T Director of Contracts\n    addressed to TNet\xe2\x80\x99s contracting officer, AT&T took primary\n    responsibility for the delay and there was no mention of the\n    government\xe2\x80\x99s role in the delay. This new delivery date of July\n    22, 2009, set in modification 42, was met by AT&T and the\n    C&A package was used as the basis for the former CIO\xe2\x80\x99s\n    decision to provide an interim ATO for TNet.\n\nIn summary, AT&T\xe2\x80\x99s TNet Transition Plan and subsequent revisions\nwere included in the task order by reference, and therefore, we\nbelieve that the C&A package submission date of October 21,\n2008, specified in AT&T\xe2\x80\x99s TNet Transition Plan Version 2.0, was\nenforceable. Furthermore, even after the delivery dates were\nexplicitly established in the contract with modification number 24\nand subsequently adjusted by modifications numbered 34 and 42,\nTreasury did not assess any damages against AT&T for contractor-\ncaused delays.\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor     Page 13\n\n(OIG-11-106)\n\x0cAccording to Federal Acquisition Regulation 52.243-1(b), if there is\na change in the contract that causes an increase or decrease in the\ncost or time required to complete the work, the contracting officer\nis required to make an equitable adjustment in the contract price,\nthe delivery schedule, or both, and modify the contract.\n\nWe asked the contracting officer if AT&T was responsible for any\ndelays. He responded that AT&T was not solely responsible for the\ndelays and did not think any assessment of damages was\nappropriate.\n\nWe disagree. As discussed above, we believe that AT&T\xe2\x80\x99s\ninadequate performance resulted in additional costs of $33 million\nto Treasury for extending the TCS contract.\n\nBy issuing the task order modifications that extended delivery dates\nwithout assessing damages to the contractor, not only did Treasury\nmiss an opportunity for recovering some of the cost to the\ngovernment due to contractor-delays, but Treasury also may not\nhave future legal recourse for claiming these damages. We also\nbelieve that by doing so, Treasury took a shortcut in order to keep\nAT&T in place instead of pursuing available remedies to ensure\nadequate performance. Going forward, the contracting officer must\nbe diligent to ensure that damages are assessed to the contractor\nwhen the contractor has failed to perform, to include failure to\ndeliver in a timely manner. Furthermore, decisions not to pursue\ndamages should only be made when in the best interest to the\ngovernment, and should be appropriately documented and\nmaintained in the contract file. In instances where fault is unclear,\nthe contracting officer should expressly reserve the right to pursue\nlegal remedies when issuing modifications.\n\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor   Page 14\n\n(OIG-11-106)\n\x0cRecommendations\n\nWe recommend that the Treasury CIO do the following:\n\n1. In coordination with the contracting officer, determine whether\n   damages resulting from contractor delay from October 2008\n   through July 2009 are legally available and, if so, pursue them.\n\n   Management Response\n\n   Treasury concurred with this recommendation. The contracting\n   officer consulted with the IRS GLS to determine whether\n   damages are legally available to the government. Based on an\n   opinion from IRS GLS dated June 8, 2011, it is Treasury\'s\n   position that the government does not have a legal basis to\n   recover damages from AT&T for contractor delays.\n\n   OIG Comment\n\n   Management\xe2\x80\x99s corrective action is responsive to our\n   recommendation. However, we believe there may be some\n   merit in reevaluating IRS GLS\xe2\x80\x99s position.\n\n2. Implement appropriate policies, procedures, and controls to\n   ensure that all prospective statements of work for acquisition of\n   information systems clearly state the appropriate FIPS 199\n   security category.\n\n   Management Response\n\n   Treasury concurred with this recommendation. Treasury and IRS\n   plan to implement guidance that requires statements of work for\n   the acquisition of information systems to clearly state the\n   appropriate FIPS 199 security category, as applicable. It is\n   anticipated that this corrective action will be implemented by\n   May 31, 2012.\n\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor   Page 15\n\n(OIG-11-106)\n\x0c   OIG Comment\n\n   Management\xe2\x80\x99s planned corrective action is responsive to our\n   recommendation.\n\n3. Implement appropriate policies, procedures, and controls to\n   ensure that all prospective contracts or task orders for\n   acquisition of information systems specify the delivery date of\n   an acceptable C&A package.\n\n   Management Response\n\n   Treasury concurred with this recommendation. Treasury and IRS\n   plan to implement guidance that requires all contracts or task\n   orders for the acquisition of information systems to specify the\n   delivery date of an acceptable C&A package, as applicable. It is\n   anticipated that this corrective action will be implemented by\n   May 31, 2012.\n\n   OIG Comment\n\n   Management\xe2\x80\x99s planned corrective action is responsive to our\n   recommendation.\n\n4. In coordination with the contracting officer, ensure that all\n   future modifications to the TNet task order contain time\n   extensions, as appropriate, for changes in the contract\n   impacting the time required to complete the work.\n\n   Management Response\n\n   Treasury concurred with this recommendation. The contracting\n   officer, in coordination with the TNet PMO, will ensure that\n   modifications to the TNet task order contain time extensions, as\n   appropriate, for changes in the contract impacting the time\n   required to complete the work. According to management, this\n   corrective action was implemented on July 15, 2011.\n\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor    Page 16\n\n(OIG-11-106)\n\x0c      OIG Comment\n\n      Management\xe2\x80\x99s reported corrective action is responsive to our\n      recommendation.\n\n5. In coordination with the contracting officer, ensure that all\n   future modifications to the TNet task order assess damages\n   resulting from contractor-caused delay, as appropriate.\n\n      Management Response\n\n      Treasury concurred with this recommendation. The contracting\n      officer, in coordination with the TNet PMO and IRS GLS, will\n      assess damages resulting from future contractor-caused delay(s)\n      and ensure that the contract file documents the assessment and\n      any potential compensation. Any resulting modification will\n      include negotiated compensation, as applicable. According to\n      management, this corrective action was implemented on July\n      15, 2011.\n\n      OIG Comment\n\n      Management\xe2\x80\x99s reported corrective action is responsive to our\n      recommendation.\n\n                                 ******\n\n\nI would like to extend my appreciation to the Office of the CIO, the\nIRS Procurement Office, and the TNet PMO for the cooperation and\ncourtesies extended to my staff during the audit. If you have any\nquestions, please contact me at (202) 927-5171 or Abdirahman\nSalah, Information Technology Audit Manager, at (202) 927-5763.\nMajor contributors to this report are listed in appendix 3.\n\n\n/s/\n\nTram Jacquelyn Dang\nAudit Director\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor    Page 17\n\n(OIG-11-106)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nThe objectives of our overall audit are to determine if the\nDepartment of the Treasury\xe2\x80\x99s implementation of Treasury Network\n(TNet) was based on sound and effective contract management,\nproject management, security management, and transition\nmanagement. This report focuses only on our assessment of\nTreasury\xe2\x80\x99s TNet contract and project management. We will report\nthe results related to the remaining objectives in future audit\nreports. This audit was included in the Office of Inspector General\nAnnual Plan.\n\nWe reviewed and analyzed documents related to contract\nadministration and project management of the TNet task order\nincluding: the statements of work, requests for quote, the\ncontractor\xe2\x80\x99s proposals, cost and pricing information, the\ncontracting officer\xe2\x80\x99s technical representative files, and the TNet\ncontract and contract modifications 1 through 50. In addition, we\ninterviewed Treasury personnel responsible for the contract and\nproject management of TNet, and management and representatives\nof the TNet contractor, AT&T. We performed our fieldwork in\nWashington, DC, from March 2009 through April 2011.\n\nWe conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor   Page 18\n\n(OIG-11-106)\n\x0c                 Appendix 2\n                 Management Response\n\n\n\n\nSee appendix\n3 for OIG\nClarifications\nto\nManagement\nComments and\nObservations\n\n\n\n\n                 Treasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor   Page 19\n\n                 (OIG-11-106)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor   Page 20\n\n(OIG-11-106)\n\x0c                  Appendix 2\n                  Management Response\n\n\n\n\nSee appendix 3\nfor OIG\nClarification 1\n\n\n\n\nSee appendix 3\nfor OIG\nClarification 2\n\n\n\n\nSee appendix 3\nfor OIG\nClarification 3\n\n\n\n\n                  Treasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor   Page 21\n\n                  (OIG-11-106)\n\x0c                  Appendix 2\n                  Management Response\n\n\n\n\nSee appendix 3\nfor OIG\nClarification 4\n\n\n\n\nSee appendix 3\nfor OIG\nClarification 5\n\n\n\n\n                  Treasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor   Page 22\n\n                  (OIG-11-106)\n\x0cAppendix 3\nOffice of Inspector General (OIG) Clarifications to Management Comments and\nObservations\n\n\n\n\nThe Treasury Chief Information Officer (CIO) provided general\ncomments and observations contained in the management\nresponse (see appendix 2) for our consideration. Our clarifications\nto the comments made in the management response to the draft\nreport are found below.\n\nManagement Comment 1\n\nComment regarding \xe2\x80\x9cpage [8], [last] paragraph - Absence of\nDefined Security Requirements - The TNet statement of work did\nnot identify the applicable security category for this information\nsystem. Specifically, it did not include the National Institute of\nStandards and Technology Federal Information Processing\nStandards (FIPS) 199 security category.\xe2\x80\x9d\n\nThe security category was defined as moderate in the AT&T\nGeneral Services Administration (GSA) Networx universal contract.\nTherefore, the security category for Treasury Network (TNet) was\ninitially defined as moderate since TNet is a task order under this\nbase contract. At the time of the release of the request for quote\nand the subsequent award of the task order, a security level higher\nthan moderate was not required.\n\nOIG Clarification 1\n\nBased on the work that we performed during the audit, we found\nthat the Networx security category was not defined within GSA\xe2\x80\x99s\nNetworx universal contract. The GSA official informed us that the\nacquiring agency needed to specify the overall security category for\nthe system being procured in the specific task order under the\nNetworx universal contract. Finally, AT&T executives also told us\nthat the Networx universal contract did not identify the security\ncategory. It should be noted that based on the statement of work,\nTNet was to provide Treasury with functions and services at least\nequal to those provided by Treasury Communications Systems\n(TCS). TCS\xe2\x80\x99s overall security category was high. Therefore, the\nstatement of work for the TNet contract should have identified the\noverall security category requirement of TNet as high.\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor           Page 23\n\n(OIG-11-106)\n\x0cAppendix 3\nOffice of Inspector General (OIG) Clarifications to Management Comments and\nObservations\n\n\n\n\nManagement Comment 2\n\nComment regarding \xe2\x80\x9cpage [9], [last] paragraph - No Delivery Date\nfor the TNet certification and accreditation (C&A) Package -\nTreasury did not specify the deliverable date for the TNet C&A\npackage in the statement of work. As a result, there was no\ncontractual requirement for AT&T to deliver it in a timely\nmanner.\xe2\x80\x9d\n\nThe original task order included a delivery date for the C&A\npackage. In accordance with the TNet task order, Section 1.2,\n"Summary of Deliverables Plan," required the C&A plan to be\nprovided to the government within 30 days of task order notice to\nproceed.\n\nOIG Clarification 2\n\nThe TNet original task order did specify a delivery date for the C&A\nplan, 30 days after task order notice to proceed or with the Final\nTransition Plan. However, there was no specified delivery date for\nthe associated C&A documentation. To be clear, a C&A plan\ngenerally identifies the roles and responsibilities for accrediting the\nsystem and forms the basis for the activities to be performed and\ndocuments to be produced. This C&A plan is not the same as a\nC&A package, which includes C&A documentation; a full C&A\npackage is required before the authorizing official can issue an\nauthorization to operate. Additionally, the TNet original task order\nalso required that the C&A documentation, as defined within the\nNational Institute of Science and Technology Special Publication\n800 series, be delivered to the government 15 working days in\nadvance of the C&A due date. However, the C&A due date was\nnot specified in the original TNet task order.\n\nManagement Comment 3\n\nComment regarding \xe2\x80\x9cpage [11], [last] paragraph - Treasury\nAssumed Responsibility for TNet Contractor Delays - Treasury\nissued task order modifications that extended deliverable dates\nwithout determining whether the delays were caused by\ninadequate contractor performance.\xe2\x80\x9d\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor           Page 24\n\n(OIG-11-106)\n\x0cAppendix 3\nOffice of Inspector General (OIG) Clarifications to Management Comments and\nObservations\n\n\n\n\nThe TNet contracting officer in coordination with the TNet Program\nManagement Office, extended deliverable dates when determined\nto be in the best interest of the government. At no time during the\ntransition period was it determined by the TNet contracting officer,\nin coordination with the TNet contracting officer technical\nrepresentative and TNet Program Management Office, that there\nwere any delays that could be solely attributed to the performance\nof AT&T.\n\nOIG Clarification 3\n\nBased on our work, we believe that the delays could be directly\nattributed to contractor performance. As discussed in the body of\nthis report under the section entitled \xe2\x80\x9cTreasury Assumed\nResponsibility for TNet Contractor Delays,\xe2\x80\x9d we identified a number\nof examples where AT&T\xe2\x80\x99s performance, or lack thereof, resulted\nin delays to the contract.\n\nManagement Comment 4\n\nComment regarding \xe2\x80\x9cpage [13], last paragraph - Treasury Assumed\nResponsibility for TNet Contractor Delays - In summary, AT&T\'s\nTNet Transition Plan and subsequent revisions were included in the\ntask order by reference, and therefore, we believe that the C&A\npackage submission date of October 21, 2008, specified in AT&T\'s\nTNet Transition Plan Version 2.0, was enforceable.\xe2\x80\x9d\n\nIn August 2008, the Treasury Chief Information Officer determined\nthat the TNet security level must be increased from moderate to\nhigh. This change in the security categorization requirement\nprompted a modification to the GSA Networx universal contract\nand a modification to the Treasury task order, and ultimately\ncaused AT&T to have to modify its C&A package. Therefore, it\nwas not considered prudent to enforce the government\'s\ncontractual rights on a deliverable based on a moderate security\nlevel. AT&T provided its high security level proposal in November\n2008 and it was accepted by Treasury in June 2009.\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor           Page 25\n\n(OIG-11-106)\n\x0cAppendix 3\nOffice of Inspector General (OIG) Clarifications to Management Comments and\nObservations\n\n\n\n\nOIG Clarification 4\n\nWe believe that the C&A package submission date of October 21,\n2008, specified in AT&T\xe2\x80\x99s TNet Transition Plan Version 2.0, was\nenforceable.\n\nManagement Comment 5\n\nComment regarding page 4, middle paragraph, second to the last\nsentence. \xe2\x80\x9cIt became more important to the responsible officials to\nkeep the contractor in place, regardless of the costs or\nconsequences to the government, than to take the proper steps to\neither obtain satisfactory performance from the contractor or to\nterminate the contract.\xe2\x80\x9d\n\nThis statement is inaccurate and it does not reflect the risk-based\nassessments that Treasury officials performed in deciding to\nmaintain the contract. There were no remedies in the service level\nagreement available to Treasury to change the performance short\nof termination. Accordingly, Treasury determined that it was\npreferable to implement a more disciplined program management\napproach to drive the implementation forward rather than terminate\nthe contract and start from scratch.\n\nOIG Clarification 5\n\nBased on our review, there was no documentation provided to\nevidence that Treasury management conducted a risk-based\nassessment as to whether or not to maintain the contract. In fact,\nthe supporting documentation for modification number 24 states,\n\xe2\x80\x9cthrowing in the penalty language may just make this more\ncontentious and put AT&T on the defensive,\xe2\x80\x9d demonstrating\nmanagement\xe2\x80\x99s reluctance to take the steps that were necessary to\nobtain satisfactory performance from the contractor.\n\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor           Page 26\n\n(OIG-11-106)\n\x0cAppendix 4\nMajor Contributors to This Report\n\n\n\n\n   Office of Information Technology (IT) Audit\n\n      Tram J. Dang, Audit Director\n      Abdirahman M. Salah, IT Audit Manager\n      Larissa Klimpel, IT Specialist\n      Kevin Mfume, IT Specialist\n      Katherine E. Johnson, Referencer\n\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor   Page 27\n\n(OIG-11-106)\n\x0cAppendix 5\nReport Distribution\n\n\n\n\nDepartment of the Treasury\n\n   Office of the Chief Information Officer\n   Office of Accounting and Internal Control\n   Office of Strategic Planning and Performance Management\n\n\nOffice of Management and Budget\n\n   Office of Inspector General Budget Examiner\n\n\n\n\nTreasury\xe2\x80\x99s Contract and Project Management of TNet Was Poor   Page 28\n\n(OIG-11-106)\n\x0c'